UAC and Windows 7. Microsoft listens.

Not so long ago, kriptópolis published an article about a security vulnerability in Windows 7 UAC default configuration (in Spanish) which allowed every malware program to change UAC configuration without warning the user about it, to the point where it could be completely deactivated, and therefore endanger the whole system.

Initially on the Engineering Windows 7 blog said that:

Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent

which, to tell you the truth, sounded more like a sad excuse than a real explanation

Luckly, in a late, but wise, movement, and after getting a lot of negative feedbacks, it seems they've changed their minds and have decided to, indeed, consider it a vulnerability:

we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

These are excelent news. On one side because they're fixing the security vulnerability exposed by the previous working mode, and on the other because is refreshing to find Microsoft people finally answering and taking into account comments from their users.

Average: 5 (1 vote)
Your rating: None